SOLVED

Unable to join domain - 5 out of 10 times

Deleted
Not applicable

As anyone encountered this error?  I've recreated the VDI/RDS environment multiple time, each with the same result.  Out of the 15 we are spinning up, 5 always fail.  It's seeming random which 5 do not join (i.e.: It isn't the first 5 or last or in sequential order).  In this dev subscription, we have 10E5 and 5E3 O365 licenses - this is the only clue I have; however, those licenses are all eligible for WDS.

 

Any help would be appreciated.

 

Here is the error:

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Cirrus-Dev-RG-VDI/providers/Microsoft.Resources/deployments/rds.wvd-provision-host-pool-20190511025908/operations/10260C9AEE5979E4", "operationId": "10260C9AEE5979E4", "properties": { "provisioningOperation": "Create", "provisioningState": "Failed", "timestamp": "2019-05-11T07:10:55.6608661Z", "duration": "PT3M41.0234978S", "trackingId": "xxxxxxxx-xxxx-xxxx-xxxx-27d92fcecaa0", "serviceRequestId": "xxxxxxxx-xxxx-xxxx-xxxx-37e830630e43", "statusCode": "Conflict", "statusMessage": { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain 'cumulus-nexus.com'\"." } ] } }, "targetResource": { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Cirrus-Dev-RG-VDI/providers/Microsoft.Compute/virtualMachines/Cirrus-VDI-7/extensions/joindomain", "resourceType": "Microsoft.Compute/virtualMachines/extensions", "resourceName": "xxxxxx-VDI-7/joindomain" }, "request": { "content": { "location": "eastus", "properties": { "publisher": "Microsoft.Compute", "type": "JsonADDomainExtension", "typeHandlerVersion": "1.3", "autoUpgradeMinorVersion": true, "settings": { "name": "cumulus-nexus.com", "ouPath": "", "user": "xxxx.xxxxx@xxxxx-nexus.com", "restart": "true", "options": "3" }, "protectedSettings": { "password": "xxxxxxxxx" } } } }, "response": { "content": { "startTime": "2019-05-11T07:07:16.1918493+00:00", "endTime": "2019-05-11T07:10:55.1293833+00:00", "status": "Failed", "error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain 'cumulus-nexus.com'\"." }, "name": "xxxxxxxx-xxxx-xxxx-xxxx-37e830630e43" } } }}

4 Replies
UPDATE: If we spin up only 10 .. 3 of them fail. So it in't a license count issue. ~1/3 of the deployments fail in the "/joindomain" resource with status "conflict"
best response confirmed by Eva Seydl (Microsoft)
Solution
UPDATE (Solved) Issue was with AAD DS domain join limit. Even though the user account was a "Global Admin", it was missing the permission "AAD DS Administrator". Incidentally, this is not the "Device Limit" in the devices blade of users. This is the " ms-DS-MachineAccountQuota" in ADUC, which MS hardcoded to 10 device joins. The "AAD DS Administrator" permission overrides that limit (obvi).

@Deleted : Thanks for the update. We'll look to include this guidance in our documentation when using Azure AD Domain Services.

@DeletedI have the same error, but my user is full global admin, AAD DS Admin, TenantCreator… No cigar so far :\

1 best response

Accepted Solutions
best response confirmed by Eva Seydl (Microsoft)
Solution
UPDATE (Solved) Issue was with AAD DS domain join limit. Even though the user account was a "Global Admin", it was missing the permission "AAD DS Administrator". Incidentally, this is not the "Device Limit" in the devices blade of users. This is the " ms-DS-MachineAccountQuota" in ADUC, which MS hardcoded to 10 device joins. The "AAD DS Administrator" permission overrides that limit (obvi).

View solution in original post